What Is It?

Researchers at Cisco TALOS and Flashpoint recently reported their findings into two pieces of Point-of-Sale (POS) trojan malware, known respectively as GlitchPOS and DMSniff.

GlitchPOS malware, as detailed by Cisco TALOS, is being marketed by the author similarly to legitimate software. The author has provided screenshots of the control panel, where the user can monitor infections and extracted data. A video showing the malware capturing payment card details is also provided. On a technical level, the malware is packed using Visual Basic with a hidden fake game screen, which extracts the malicious payload. As with most POS malware, the payload is quite small, though it can connect to a command and control (C2) site to register itself, upload stolen card details, update itself, alter its configuration and execute other code.

DMSniff malware, despite its use since late 2015, has gone unanalyzed by researchers. One unique aspect about DMSniff is a function which is unusual for POS malware, the ability to dynamically generate the domain name for its C2 site. An ability that provides malware with more resilience to takedowns. After generating the domain name, the malware appends .in, .ru, .net, .org and .com, until a C2 site responds. In common with GlitchPOS and most other POS malware, DMSniff has a list of processes which it will skip when reading system memory looking for payment card details.

Point-of-Sale malware is quite common and designed to infect systems that process credit and debit card transactions for retailers. POS malware has been responsible for numerous high-profile breaches, including Chili’s and Applebee’s restaurant chains during 2018. In fact, the Verizon Data Breach Investigations Report 2018 found that within the hospitality industry, 90% of all breaches were due to POS malware. It also found POS malware breaches were 40 times more likely in the hospitality industry than the overall average.

POS malware continues to be popular with attackers, as it allows them to immediately monetize the intercepted payment card details for their own purposes or by selling the data in various “carder” forums found mainly on the dark web. Often POS terminals are Windows-based PCs and due to the limited resources required to operate POS software, tend to be older hardware systems running outdated versions of Windows. Due to the downtime required to regularly patch systems, POS terminals frequently lack recent security patches. The result being, POS systems can be regarded as soft targets by attackers, with the potential for significant profit. POS malware generally scans system memory, looking for the data captured from the magnetic stripe on payment cards. This data is either stored locally or immediately exfiltrated to the attackers.

How Does It Propagate?

Neither malware contains the necessary code to self-propagate. Specific infection vectors are not known in these cases, though exploitation of remote access software and social engineering via phishing are known to be commonly used in POS malware attacks.

When/How Did BluVector Detect It?

Two samples of GlitchPOS are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown both samples would have been detected 61 months prior to their release. Three samples of DMSniff are publicly available and are also all detected. The average detection time prior to release for these samples is 37 months, due to the age of these samples. This translates into both sets of samples being detected by BluVector’s MLE since December 2013.